Risk Management Systems in Major UK Public & Private Sector Organisations:

A tale of contrasting cultures

Professor Margaret WoodsAston Business School

Case Study Comparisons of Risk Management Systems in Major Public &

Private Sector Entities

Structure of Presentation Background to the paper Cases & methodology Key findings- similarities & differences Contingency explanation of variations Conclusion

Background CIMA funded project Public & private sector cases Interview based Pre credit-crunch

Cases Tesco RBS Department of Culture Media &

Sport Birmingham City Council

Methodology Interviews: senior rm & internal audit

staff plus operational managers & users of the system.

Public sector both staff and politicians interviewed e.g. Chief Executive & Secretary of State

Observation Internal documents Information systems

Contribution to the Literature

Need for studies looking at use of MCS at different levels of the organisation (Langfield Smith,1997)

Call for research which distinguishes between the existence and use of MCS (Langfield Smith,1997)

Risk management dimension barely covered in existing organisational literature

Definitions (1)Management Control“the process by which managers ensure that resources are obtained and used effectively and efficiently in the accomplishment of the organisation’s objectives.” (Anthony, 1965)

Risks“uncertain future events which could influence the achievement of the organisation’s strategic, operational and financial objectives.” (IFAC,1999)

Risk Management“ process of understanding and managing the risks that the entity is inevitably subject to in attempting to achieve its corporate

objectives.”(CIMA 2005)

Definitions (2)Public versus private organisations

Three criteria used to distinguish them: Ownership Source of financial resources Model of social control ( market v polyarchy)

(Perry & Rainey,Academy of Management Review, 1988)

Result: – two public & two private (at time of study)

Views from the Literature Fone & Young (2000) & Mcphee (2005)

Anecdotal evidence that public sector risk management is distinctive & different

Power (2004) Risk management of everything & alignment of risk management with good

governance

Collier et al (2006) Basic risk management structures are common across all large organisations

(private sector only)

Miller et al (2008) Risk management & standardised practices now central to both public & private

sector organisations Power (2009)

Need to shift from rule based compliance to use of “critical imagination” in risk management

Mikes (2009) Calculative cultures – typologies of ERM interpretation

Key Findings Each case is different

but Strong similarities e.g. between public & private sector

and

Wide variations e.g. public sector more advanced in thinking re partnership risk and linking risk management to performance management

Two questions:

WHAT ARE THE SIMILARITIES/DIFFERENCES?

WHY DO THEY EXIST?

Summary of Similarities & Differences

Similarities Perceived role of risk

management Timing of the

formalisation of systems Overall methodologies or

models Risk management tools ICT support Control via self

assessment

Differences Application of the models

and tools Overall structure for risk

management Dependence upon

quantitative tools for evaluation & measurement

Link from strategic objectives to operational performance – risk management as a bureaucratic structure versus an embedded process/mindset

Similarities (1): Perceived Role of Risk

ManagementTesco“One of the reasons we are a successful company is because of risk management.”

RBS“At the end of the day, risk management is nothing other than good husbandry on how

you drive your business forward.”

Birmingham City Council“Risk management is very much looking at achieving your objectives and what’s going to

stop you.”

DCMSRisk management is concerned with “the culture, processes and structures directed towards the effective management of potential opportunities and threats to the Department achieving its objectives.”

Similarities (2)Timing of the formalisation of risk management systems:

Pressure from financial scandals in 1980s COSO (1992) Cadbury Code (1992)

Private sector initiatives mirrored in public sector Cadbury triggered Treasury Note (1994) & “Green Book” (1997) Turnbull (1999) followed by NAO Report (2000): “work is underway on the appropriate method of adapting the

principles of the Turnbull Report to the central government sector.” (NAO, 2000: 39).

Transfer from central to local government CIPFA/SOLACE governance framework (2001)

Similarities (3):Generic Risk Management

Methodologies

Identify Source Measure Mitigate Monitor

Economist Intelligence Unit (1995)

The ERM Framework

ERM considers activities at all levelsof the organization:

• Enterprise-level• Division or

subsidiary• Business unit

processes

Similarities (4): SystemTools

Assessment & Evaluation Likelihood consequences matrices Traffic lights

Response Risk registers Ownership Escalation of responsibilities

Ranking by Likelihood and Consequence

LIKELIHOOD

High       3

Significant        

Medium     6, 14

 

Low 2

      5

  Low Medium Significant High

IMPACT

RAG Assessment (DCMS) Red – The control(s) are not in place or

will not reduce the risk to an acceptable level.

Amber – The control(s) is insufficient to reduce risk to the tolerable level, or is not yet in place but is expected

Green – The control(s) is in place and working effectively to reduce the risk to a tolerable level.

Similarities (5):ICT Support

RBS – dedicated rm software for quantitative analysis

Birmingham City Council – Magique Tesco –ERP systems, customer

facing data collection DCMS – sharing of partnership

risks

Similarities (6): Self Assessment

Private SectorCombined Code, Section C2, p.14“The board should, at least annually, conduct a review of the effectiveness of the group’s system of internal controls and

should report to shareholders that they have done so. The review

should cover all material controls, including financial, operational and compliance controls and risk management system.” Public SectorStatement of Internal Control – standard format (DAO,2003):“ For the year ended 31 March 2009, that opinion concluded

that there were no significant control issues arising that require disclosure in this Statement.”

NOTE MAJOR DIFFERENCE IN DETAIL!!!!

Differences (1): Overall Structure for Risk

Management Separate function: determined by regulation

Tesco: “having a risk management function probably gets in the way of actually managing the risks because people are thinking about the risks as opposed to thinking about the customer.”

RBS: Function essential under banking regulations and supervisory process (ARROW)

DCMS: Head of Risk at Departmental level Birmingham: Sits within internal audit

Job titles – professional risk officer

Differences (2): Dependence upon quantitative tools

RBS: Extensive use for market, credit, liquidity monitoring. Essential as part of the Basel capital requirement regulations

Tesco: Hourly monitoring of sales statistics; daily pricing of standard basket; steering wheel targets e.g financials & staff turnover

DCMS: Limited and primarily financial in nature

Birmingham: Performance monitoring for CPA targets e.g. Trading standards visits;

Differences (3): Link from strategic objectives to

operational performanceIntegrated

Tesco “people do it without actually knowing they are doing it, its part of their accountabilities. They are held to account. We monitor things on such a micro level.”BirminghamForms part of the CPA evaluation and is risk forms part of individual performance review at operational levels.

Divorced RBS:

Risk management defined by compliance with regulatory targets. Bonus culture separates remuneration from risk exposure.

Problem DiMaggio & Powell (1983) suggest

coercive, mimetic & normative pressures may encourage similarity in search for legitimacy but…..institutional theory also suggests a need for “strategic fit” i.e. scope for variation

Does answer lie in distinguishing between existence and use of rm controls?

Contingency Explanation for

different levels of use Complexity of business model Level and nature of regulatory

controls and accountability Organisational culture & informal

controls over risk Criteria used to evaluate risk

management – compliance v performance

Complexity of Business Model

RBS – complex interdependent businesses. Go for silo approach.

Tesco – very simple value chain. What drives value?

Birmingham – complex, multiple interdependencies & partnerships. Learning via CPA.

DCMS – Multiple partnership risks. Still learning.

Level & Nature of Regulatory Controls &

AccountabilityRegulations RBS subject to intense regulatory

oversight - drives tools of control Tesco – greater discretion under

Combined Code. Birmingham & DCMS – limited strategic

choice – have to manage risks; accountability tight via SIC (and CPA for Birmingham)

Organisational Culture & Informal Controls

Ouchi (1979) “clan” controls Is performance against objectives

high on the agenda and pervasive? e.g.Tesco slogans; shelf stacker

Is performance measured purely in financial terms & shareholder value?

Risk “champions” Isolated risk function – RBS 5th Floor

Criteria Used to Evaluate Risk Management

Two different mindsets: “are we within prescribed risk

boundaries laid down either externally or internally?”

OR “are we achieving the results we

promised”

ConclusionSimons (1991)Control systems may be diagnostic orinteractive. Cases suggest that diagnostic use equates to a

compliance mindset Interactive use fits with a performance

oriented mindset. Orientation depends upon a range of factors

both internal and external to the organisation Only in latter does rm guide organisational

learning via the application of “critical imagination.”